Has anyone been able to locate the bitrate table for the camera bitrates?

I've posted here seeking some assistance outlining the process

Basically I'm trying to locate it within the OSMO_FC550_FW_V01.03.00.40_m0100_part_sys.a9s which has been extracted with the tools from this site

https://dashcamtalk.com/forum/threads/changing-the-default-bitrate-of-ambarella-based-cameras-using-aft.10220/page-2

The tools from that site don't work with the A9s obviously, but it's a possibility that the bitrate table view tool can be utilised if a way can be found to determine the start offset of the table within the file.

I'm basing this effort upon specs from here for the Xiaomi Yi 4k camera posted here
http://elproducente.com/4k-xiaomi-yi-action-camera-2-review/

and the project located here which has enabled higher bitrates using autoexec.ash scripts reminiscent of the original gopro hacks
https://github.com/irungentoo/Xiaomi_Yi_4k_Camera

I have tested high speed MicroSD cards at being capable of over 20MB/s, so with good quality high speed cards we should be able to emulate the Xiaomi Yi 4K camera data speeds at least up to 100Mb/s

So this will read the structure array and export the parameters and variables?!?!

We've found a new universal write location... all of the product line seems impacted. POV's disclosure is now much more powerful than originally expected. Now you can Jailbreak DJI Phantom4, Inspire2, Mavic Pro, or Spark with ease.

Git issue comment with info on making it universal here:
MAVProxyUser/P0VsRedHerring#5 (comment)

https://github.com/MAVProxyUser/dji_system.bin/

DJI is currently in violation of GPL... these binaries are intended to be distributed to end users that have purchased either an inspire2, Mavic, Spark, or P4 variant drone,and are seeking to downgrade their aircraft back to its factory state

Use PyDUML to push firmware sans Assistant.app or Assistant.exe
https://github.com/hdnes/pyduml

I've played a bit with Matrice600Pro firmware, How can I flash it?
Note: dji assistant 2 beta 112 don't recognize it!

im going to make a list of know flyc_param_infos parameters, ill update this as i figure them out. if anyone know of any add them in a comment and ill add them to the list

"name" : "g_config.control.vert_up_vel_0" ascend speed
"name" : "g_config.control.vert_down_vel_0" descend speed
"name" : "g_config.engine.upper_bound_0" motor speed limit
"name" : "g_config.engine.idle_level_0" controls idle speed on ground
"name" : "g_config.flying_limit.max_height_0" controls maximum altitude
"name" : "g_config.novice_cfg.max_height_0" maximum height in beginner mode
"name" : "g_config.output_servo.pwm_max_0" effects rev speed when motor starts
"g_config.control.atti_tilt_w_rate_0" set lower for less tilt rate
"g_config.control.atti_torsion_w_rate_0" set lower for slower rate
"g_config.control.manual_tilt_w_rate_0" set lower for slower tilt rate
"g_config.control.manual_torsion_w_rate_0" set lower to slow down torsion, max value is max
"g_config.control.atti_limit_0" limits, limits atti_range max value. effects speed in atti mode
"g_config.control.atti_range_0" limits,directly effect tilt and speed in gps/atti mode
"g_config.control.atti_bat_limit_0" effects the speed according to the battery

i notice the battery firmware is not encrypted. i wonder what could be done to the battery controller so aftermarket batteries could be connected

i figured it out, and crashed too 👍 i set some values low and it took off on if own so i hit the csc and broke most of its fall ,i was only 15 ft in the air whe i realized it wouldnt go down without the csc only need a new top shell but its still flyable. anyways i found out hot to get the app to push the commands. the only app i could get it to work with was 2.4.2. all you have to do is edit the flight controller parameters and mobile flc accordingly. factory reset and there they are.

when i run the tool this is my output

laptop@laptop-VPCEH14FM:~/Desktop/phantom-firmware-tools-master (2)$ python3 dji_flyc_nofly_ed.py -vv -x -m p7_mi01.bin
p7_mi01.bin: Opening for extraction
p7_mi01.bin: Matching zones array at 0x0009df68: 5000 entries
p7_mi01.bin: Matching coords array at 0x00086678: 61 entries
p7_mi01.bin: Matching coords array at 0x00095cac: 4183 entries
p7_mi01.bin: Warning: multiple (2) matches found for fly coords array with alignment 0x02
p7_mi01.bin: Merging No Fly arrays...
laptop@laptop-VPCEH14FM:~/Desktop/phantom-firmware-tools-master (2)$ python3 dji_flyc_nofly_ed.py -vv -u -m p7_mi01.bin
p7_mi01.bin: Opening for update
p7_mi01.bin: Matching zones array at 0x0009df68: 5000 entries
p7_mi01.bin: Matching coords array at 0x00086678: 61 entries
p7_mi01.bin: Matching coords array at 0x00095cac: 4183 entries
p7_mi01.bin: Warning: multiple (2) matches found for fly coords array with alignment 0x02
Traceback (most recent call last):
  File "dji_flyc_nofly_ed.py", line 403, in 
    main(sys.argv[1:])
  File "dji_flyc_nofly_ed.py", line 394, in main
    flyc_nofly_update(po,fwmdlfile)
  File "dji_flyc_nofly_ed.py", line 334, in flyc_nofly_update
    raise NotImplementedError('Not implemented.')
NotImplementedError: Not implemented.

i was just thinking. if someone found a way to make a better antenna for a esp8266. they are so tiny you could put on in a drone a potentially have ALOT of switches all by using it as a access point for your phone controlling it by wifi via script/console. they only run at 3.3v 0.04A

Just found an interesting article, unfortunately Chinese.

The article goes through the process of decoding radio communication from Phantom 3 standard, in order to take over control of a drone in air.

Original link
Google Translation

Do you think you can make your firmware tools work with p4p firmware. would be nice to be able to extract the p4p params. thats the only thing really stopping me from buying one right now lol.

Hello guys, I am new to this so go easy on me please... I upgraded my P3P to version P3X_FW_V01.10.0090, following the DJI guide, and got a failed upgrade signal and the dreaded message in the log file:

[15 00][00] device not detected
[08 00][00] device not detected

After this, there was no video transmission. Then I googled the issue and found a guy who said he resolved this by downgrading all the way to the first version available to him (by the "debug" file method), and then upgrading again, step by step, up to version P3X_FW_V01.08.0080, at which time he got a successful upgrade process, and a functional drone. I proceeded to do the same, but when I tried to go from 1.2.3 to 1.1.9, it went wrong. The process didn't finish, and I found the drone with a limp gimbal, the camera just hanging at an angle underneath, beeping. The last thing written in the log file is:

[00055385]Firmware upgrading[1]...
[00066342][01 00] Firmware upgrade start...

My problem is that now I can't get it to enter the upgrade mode no matter what firmware version I place on the card, with or without the "Debug" file. When I try to force start the upgrade process by pressing the link button during startup, the gimbal immediately goes limp and starts beeping (but not the normal beeps it emits during upgrade). It actually resumes the state in which I found it after the last failed upgrade. It does nothing and writes no log, no matter how long I leave it at it.

This is the last log file, written at the time of that last failed downgrade:
P3X_FW_LOG_AB.txt

So, if you have any ideas, or know of a procedure to make it upgrade again (via serial service pads, or any other method), please help. Also, if you need more info, just let me know.
Thank you!

Moving related posts from other issues.

@MrBurnsAT commented on 13 Jan

I now over exactly one year searched for a solution to Downgrade more than only one Version.

So i really read many about the Phantom and all firmware out there.
And RC models are my hobby since many years. Cars, Planes, Helis, and Copter

But i have not Programmen for a long time.
I really need time to come back in.

For you, this is a gimmick

@aka1ceman commented on 13 Jan

1. Keep in mind the change between A and B remotes.
2. I have downgraded the RC in the past.(my B remote that per DJI can not be upgraded with USB) It may not have been the best way to do it but maybe it will shed some light to help you move forward.
   I did an update with DJI Go which downloaded 1.5 for my RC. (do NOT install) I closed the Go app, went into my android file structure and swapped the file with a 1.3 FW renamed what DJI named the 1.5 download. Restarted the Go app, and finished install. Afterwards, I restarted Go which showed 1.3 FW on the RC.

@MrBurnsAT commented on 13 Jan

Cool thanks for the Tip

But I tried this too, and it didnt work for me.

Which GoApp Version did u use?

Ill try it one more time

@aka1ceman commented on 13 Jan

It was around 2.3 or 2.4. I did get it to work on 2 occasions last year, but reverted back due to no ability to roll back the quad.

@MrBurnsAT commented on 13 Jan

Which 1.3 RC Firmware did u Took?
Or did u Took the Craft Firmware 1.3.2?

@aka1ceman commented on 13 Jan

it was 1.3.2 but not sure which one.

When DJI Go does a RC update, it downloads a file from their server (RC_FW_V1.6.0.bin) into a folder Android/device storage/DJI/dji.pilot/package. It DJI GO installs it from that location.

@aka1ceman commented on 18 Jan

Ok, I figured out what I did ......

Turn on RC, Plug in Tablet, start DJI Go (I used 2.4.2)
Touch and hold top right corner of screen for 5-10 seconds. (tutorial button thanks to Inspire guys)
New screen opens offering to downgrade RC. (I was offered 1.6 and 1.5.8)
Download but do not install.
Using file explorer replace and rename file
I used RC file for 1.3.2 and renamed, and replaced the existing 1.5 file.
Go back to DJI Go app and finish install. It will finish installing. I did install for me although renaming may not be the safest way. Hope this helps.

Now how can we get DJI GO to allow other options of files?

@ferraript commented on 18 Jan

@aka1ceman, that looks very easy, are you sure it was done this way?
because I would be afraid of two things:

1. bin file downloaded by DJI GO will be cached in phone's RAM (and DJI GO will use this one), so replacing the one stored in DJI/dji.pilot/package will have no effect
2. right after click on "Install", DJI Go will either check if checksum is the same, maybe it will also check if header inside the bin file has correct version

you didn't write this, so I'll ask: you only renamed the bin filename? or did you also change version number in header inside the bin file?

@mefistotelis commented on 18 Jan

Now how can we get DJI GO to allow other options of files?

Since the functionality id already there, it shouldn't be hard to unlock it. We just need someone with experience in analysing and recompiling Java code. I'm certain everything is within the Dji Go app.

@notsolowki commented on 18 Jan

Is it possible that the dji go just updates the controller with the parameters.

@aka1ceman commented on 18 Jan

@ferraript,

1. I verified that was the location of the downloaded file. It is not installed or in phones Ram at that point.
2. The normal way "requires updates" button at top of DJI Go will NOT install once the file is renamed. It gives error once name is modified. Once the modified file is removed from that folder, it offers to download again. It sees a file there. Only way I could bypass the error was this trick that Inspire users used to force downloads on RC in the past. Only thing I figure is this bypasses the checksum. NO I only changed the name.

@ferraript commented on 20 Jan

@aka1ceman, thanks for info
today I successfully downgraded my RC's FW from 1.5.7 to 1.4.3, using your instructions
in my case, after first closing of DJI GO and renaming the file, DJI GO redownloaded the FW again
after second closing and reopening DJI GO, it didn't redownload and allowed me to upgrade (actually downgrade) the firmware

@MrBurnsAT commented on 20 Jan

@ferraript which GoApp Version did u use?

2.4.2???

@ferraript commented on 20 Jan

@MrBurnsAT: I used 2.4.3

@MrBurnsAT commented on 20 Jan

Great. Thx

IT worked!

Litchi 2.3.1 is running

@MrBurnsAT commented on 20 Jan

@ferraript

I think about the Standard and 4K Phantoms

Do u think they might can be downgradet like this?
Because they where updated via GoApp and Not sd card

@MrBurnsAT commented on 20 Jan

@ferraript

I think about the Standard and 4K Phantoms

Do u think they might can be downgradet like this?
Because they where updated via GoApp and Not sd card

@ferraript commented on 21 Jan

I'd say there will be no difference
but the best way to find out is to try it :)

@ferraript commented on 26 Jan

I think I finally found links that DJI GO uses for RC FW upgrade:
http://upgrade.dj2006.net/redirect/links/pliot
http://upgrade.dj2006.net/redirect/links/pilot_br

edit: the links are confirmed via Wireshark

C:\Users\Usr\Desktop\phantom-firmware-tools-master>python dji_fwcon.py -vv -x -p P3X_FW_V01.08.0080.bin
P3X_FW_V01.08.0080.bin: Opening for extraction
P3X_FW_V01.08.0080.bin: Header:
{   'entry_count': 16,
    'hdrend_offs': 898,
    'magic': 305419896L,
    'magic_ver': 1,
    'manufacturer': 'DJI',
    'model': 'P3X',
    'padding': '00000000000000000000',
    'salt': 1459829053,
    'ver_latest': 17301584,
    'ver_latest_enc': 120364041,
    'ver_rollbk': 17236028,
    'ver_rollbk_enc': 119774309}
P3X_FW_V01.08.0080.bin: Module index 0
{   'decrypted_len': 43776L,
    'decrypted_md5': 'cc3baf52297f2eb67adf98f0270956f4',
    'dt_offs': 898L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 43776L,
    'stored_md5': 'bbd8964489204dfdb8858d5824a116b0',
    'target': 'm0305',
    'target_name': "main controller 'A3' ldr",
    'version': '34.02.0009'}
P3X_FW_V01.08.0080.bin: Module index 1
{   'decrypted_len': 790016L,
    'decrypted_md5': '9ee6f2692d3982e8ce532372789a50cd',
    'dt_offs': 44674L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 790016L,
    'stored_md5': '229617fbd99769da90e394b239621935',
    'target': 'm0306',
    'target_name': "main controller 'A3' app",
    'version': '02.04.3589'}
P3X_FW_V01.08.0080.bin: Module index 2
{   'decrypted_len': 93696L,
    'decrypted_md5': '2b06bdb11b7b813863cb8efe106667d8',
    'dt_offs': 834690L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 93696L,
    'stored_md5': '6a5e48b0a6b81ed24e14c7548b6d9027',
    'target': 'm0400',
    'target_name': 'gimbal mdl 0',
    'version': '01.44.0000'}
P3X_FW_V01.08.0080.bin: Module index 3
{   'decrypted_len': 19140L,
    'decrypted_md5': '09bebba2951faf82ea3f9cb0793f5dd7',
    'dt_offs': 928386L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 19140L,
    'stored_md5': '09bebba2951faf82ea3f9cb0793f5dd7',
    'target': 'm1100',
    'target_name': 'battery controller 1 app',
    'version': '01.07.3841'}
P3X_FW_V01.08.0080.bin: Module index 4
{   'decrypted_len': 42496L,
    'decrypted_md5': '8f773cc3245745ac6861af803fc520b6',
    'dt_offs': 947526L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 42496L,
    'stored_md5': '4b0ef2a6f0acac04b2c5582ee21361e8',
    'target': 'm1200',
    'target_name': 'electronic speed control 0',
    'version': '01.10.0000'}
P3X_FW_V01.08.0080.bin: Module index 5
{   'decrypted_len': 42496L,
    'decrypted_md5': '8f773cc3245745ac6861af803fc520b6',
    'dt_offs': 990022L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 42496L,
    'stored_md5': '4b0ef2a6f0acac04b2c5582ee21361e8',
    'target': 'm1201',
    'target_name': 'electronic speed control 1',
    'version': '01.10.0000'}
P3X_FW_V01.08.0080.bin: Module index 6
{   'decrypted_len': 42496L,
    'decrypted_md5': '8f773cc3245745ac6861af803fc520b6',
    'dt_offs': 1032518L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 42496L,
    'stored_md5': '4b0ef2a6f0acac04b2c5582ee21361e8',
    'target': 'm1202',
    'target_name': 'electronic speed control 2',
    'version': '01.10.0000'}
P3X_FW_V01.08.0080.bin: Module index 7
{   'decrypted_len': 42496L,
    'decrypted_md5': '8f773cc3245745ac6861af803fc520b6',
    'dt_offs': 1075014L,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 42496L,
    'stored_md5': '4b0ef2a6f0acac04b2c5582ee21361e8',
    'target': 'm1203',
    'target_name': 'electronic speed control 3',
    'version': '01.10.0000'}
P3X_FW_V01.08.0080.bin: Module index 8
{   'decrypted_len': 2680L,
    'decrypted_md5': '08e01b61a70e503bb60362eaf4d734cc',
    'dt_offs': 1117510L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 2680L,
    'stored_md5': '08e01b61a70e503bb60362eaf4d734cc',
    'target': 'm1500',
    'target_name': "radio transmitter 'IG810 LB2_68013_TX'",
    'version': '01.01.0512'}
P3X_FW_V01.08.0080.bin: Module index 9
{   'decrypted_len': 77876L,
    'decrypted_md5': '47bea6b588988517d7731a677eaaef44',
    'dt_offs': 1120190L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 77876L,
    'stored_md5': '47bea6b588988517d7731a677eaaef44',
    'target': 'm1700',
    'target_name': "visual positioning module 'camera'",
    'version': '01.01.0263'}
P3X_FW_V01.08.0080.bin: Module index 10
{   'decrypted_len': 25908L,
    'decrypted_md5': 'def18f11a3b0ae5ab53624d52c0e322e',
    'dt_offs': 1198066L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 25908L,
    'stored_md5': 'def18f11a3b0ae5ab53624d52c0e322e',
    'target': 'm1701',
    'target_name': "visual positioning module 'sonar'",
    'version': '01.00.0519'}
P3X_FW_V01.08.0080.bin: Module index 11
{   'decrypted_len': 4194304L,
    'decrypted_md5': '2c3976888e71103fd4bd78f76452cb65',
    'dt_offs': 1223974L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 4194304L,
    'stored_md5': '2c3976888e71103fd4bd78f76452cb65',
    'target': 'm1900',
    'target_name': 'FPGA air model 0',
    'version': '01.00.2144'}
P3X_FW_V01.08.0080.bin: Module index 12
{   'decrypted_len': 56823260L,
    'decrypted_md5': '6cb0abed04e63b23e4e1dcdf6244fa3f',
    'dt_offs': 5418278L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 56823260L,
    'stored_md5': '6cb0abed04e63b23e4e1dcdf6244fa3f',
    'target': 'm0100',
    'target_name': "camera 'Ambarella A9SE' App",
    'version': '01.30.5036'}
P3X_FW_V01.08.0080.bin: Module index 13
{   'decrypted_len': 412780L,
    'decrypted_md5': '7966aeaca3ad0dd1d45551fd70503d3d',
    'dt_offs': 62241538L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 412780L,
    'stored_md5': '7966aeaca3ad0dd1d45551fd70503d3d',
    'target': 'm0101',
    'target_name': "camera 'Ambarella A9SE' Ldr",
    'version': '01.30.5036'}
P3X_FW_V01.08.0080.bin: Module index 14
{   'decrypted_len': 3363336L,
    'decrypted_md5': '62e63c7b2ddd4695a1fd9be58bf6db28',
    'dt_offs': 62654318L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 3363336L,
    'stored_md5': '62e63c7b2ddd4695a1fd9be58bf6db28',
    'target': 'm0800',
    'target_name': "video encoder 'DaVinci Dm368 Linux'",
    'version': '00.13.0007'}
P3X_FW_V01.08.0080.bin: Module index 15
{   'decrypted_len': 74596L,
    'decrypted_md5': '4681e06d881438206f178d1ce538aec9',
    'dt_offs': 66017654L,
    'encrypt_type': 0,
    'reserved2': 1,
    'spcoding': 0,
    'splvalue': 0,
    'stored_len': 74596L,
    'stored_md5': '4681e06d881438206f178d1ce538aec9',
    'target': 'm0900',
    'target_name': "MCU 'NXP LPC1765'",
    'version': '03.00.0010'}
P3X_FW_V01.08.0080.bin: Headers checksum 0F12 matches.
P3X_FW_V01.08.0080.bin: Extracting module index 0, 43776 bytes
P3X_FW_V01.08.0080.bin: Module index 0 stored checksum bbd8964489204dfdb8858d5824a116b0
P3X_FW_V01.08.0080.bin: Extracting module index 1, 790016 bytes
P3X_FW_V01.08.0080.bin: Module index 1 stored checksum 229617fbd99769da90e394b239621935
P3X_FW_V01.08.0080.bin: Extracting module index 2, 93696 bytes
P3X_FW_V01.08.0080.bin: Module index 2 stored checksum 6a5e48b0a6b81ed24e14c7548b6d9027
P3X_FW_V01.08.0080.bin: Extracting module index 3, 19140 bytes
P3X_FW_V01.08.0080.bin: Module index 3 stored checksum 09bebba2951faf82ea3f9cb0793f5dd7
P3X_FW_V01.08.0080.bin: Extracting module index 4, 42496 bytes
P3X_FW_V01.08.0080.bin: Module index 4 stored checksum 4b0ef2a6f0acac04b2c5582ee21361e8
P3X_FW_V01.08.0080.bin: Extracting module index 5, 42496 bytes
P3X_FW_V01.08.0080.bin: Module index 5 stored checksum 4b0ef2a6f0acac04b2c5582ee21361e8
P3X_FW_V01.08.0080.bin: Extracting module index 6, 42496 bytes
P3X_FW_V01.08.0080.bin: Module index 6 stored checksum 4b0ef2a6f0acac04b2c5582ee21361e8
P3X_FW_V01.08.0080.bin: Extracting module index 7, 42496 bytes
P3X_FW_V01.08.0080.bin: Module index 7 stored checksum 4b0ef2a6f0acac04b2c5582ee21361e8
P3X_FW_V01.08.0080.bin: Extracting module index 8, 2680 bytes
P3X_FW_V01.08.0080.bin: Module index 8 stored checksum 08e01b61a70e503bb60362eaf4d734cc
P3X_FW_V01.08.0080.bin: Extracting module index 9, 77876 bytes
P3X_FW_V01.08.0080.bin: Module index 9 stored checksum 47bea6b588988517d7731a677eaaef44
P3X_FW_V01.08.0080.bin: Extracting module index 10, 25908 bytes
P3X_FW_V01.08.0080.bin: Module index 10 stored checksum def18f11a3b0ae5ab53624d52c0e322e
P3X_FW_V01.08.0080.bin: Extracting module index 11, 4194304 bytes
P3X_FW_V01.08.0080.bin: Module index 11 stored checksum 2c3976888e71103fd4bd78f76452cb65
P3X_FW_V01.08.0080.bin: Extracting module index 12, 56823260 bytes
P3X_FW_V01.08.0080.bin: Module index 12 stored checksum 6cb0abed04e63b23e4e1dcdf6244fa3f
P3X_FW_V01.08.0080.bin: Extracting module index 13, 412780 bytes
P3X_FW_V01.08.0080.bin: Module index 13 stored checksum 7966aeaca3ad0dd1d45551fd70503d3d
P3X_FW_V01.08.0080.bin: Extracting module index 14, 3363336 bytes
P3X_FW_V01.08.0080.bin: Module index 14 stored checksum 62e63c7b2ddd4695a1fd9be58bf6db28
P3X_FW_V01.08.0080.bin: Extracting module index 15, 74596 bytes
P3X_FW_V01.08.0080.bin: Module index 15 stored checksum 4681e06d881438206f178d1ce538aec9

C:\Users\Usr\Desktop\phantom-firmware-tools-master>python amba_fwpak.py -vv -x -m P3X_FW_V01.08.0080_mi12.bin
P3X_FW_V01.08.0080_mi12.bin: Opening for extraction
P3X_FW_V01.08.0080_mi12.bin: Header:
{   'crc32': '10B78901',
    'model_name': 'FC300X',
    'ver_info': '0.0-0000'}
P3X_FW_V01.08.0080_mi12.bin: Entries:
[{   'crc32': '037E7EA9',
    'dt_len': 9269056L}, {   'crc32': '43CFCE9A',
    'dt_len': 3889408L}, {   'crc32': '684946EF',
    'dt_len': 11624704L}, {   'crc32': '05B46E5B',
    'dt_len': 5038864L}, {   'crc32': 'EF4876FE',
    'dt_len': 27001088L}]
P3X_FW_V01.08.0080_mi12.bin: Post Header:
{   'part_size': '00000800 00040000 00040000 00100000 02000000 00500000 00f00000 00a00000 03c00000 01e00000 00000000 00500000 00c00000 00500000 00100000'}
P3X_FW_V01.08.0080_mi12.bin: Entry 0
{   'build_date': '2016-03-24',
    'crc32': '56F034C9',
    'dt_len': 9268800L,
    'flag1': '00000000',
    'flag2': '00000000',
    'magic': 'A324EB90',
    'mem_addr': '0E600000',
    'padding': '00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000',
    'version': '1.0'}
P3X_FW_V01.08.0080_mi12.bin: Extracting entry  0, pos      140, len  9268800 bytes
Traceback (most recent call last):
  File "amba_fwpak.py", line 649, in 
    main(sys.argv[1:])
  File "amba_fwpak.py", line 620, in main
    amba_extract(po,fwmdlfile)
  File "amba_fwpak.py", line 405, in amba_extract
    hdcrc = amba_calculate_crc32h_part(copy_buffer, hdcrc)
  File "amba_fwpak.py", line 257, in amba_calculate_crc32h_part
    crc = crc32_tab[(crc ^ octet) & 0xff] ^ (crc >> 8)
TypeError: unsupported operand type(s) for ^: 'long' and 'str'

i wanted to mess around with your scripts just for fun to disassemble it and see what goes on. im not interested in anything illegal

I am simply looking for a way to get into the Wifi parameters.. To increase the output level of the P3P...
I have Used the ftp method on the P3S.. To set it... But there is no method of doing this to the P3P.. It maybe just my ignorance that is stopping me?? I have found all of this info.. But I don't see a way into the settings like in the "MagicPower" Mod for the P3S... I also found in the links below.. A reference to enabling the "wifi" it is from the 1.8.8 bin file.. But I have seen it found in the P3S controller .config.. By Enabling the P3P to have a "Visible" Wifi that you can connect to.. Does two things..
First it is a way into the system.. (ftp)
and also away for it to be "repeated" like I have done with my P3S .. (with any "wireless extender") http://forum.dji.com/thread-58369-1-1.html <this is what was found in the P3S config
Powermagiclog.txt <this is a update log from MagicPower..
P3Ppasswords.txt This is all the system passwords I could come up with..
1.8.8hexbindump.txt< this is what I found in the 1.8.8 bin with a Hex editor..

So Again is there anyone that can Understand all this? Is there a way to mod a bin file to turn on the "WiFi"??

Anybody tried using the USB usually used for Assistant for anything else?

When I connect it to PuTTY on my Windows machine, I get a startup log. But when I connect it to Linux - I see no output.

Am I missing something, or is the serial device unsupported in Linux?

I trired both picocom and simple cat:

#!/bin/bash
.
PORT=ttyACM0
.
n=0
while [ $n -lt 2147483647 ]; do
  if [ -e /dev/${PORT} ]; then
    break
  fi
  if [ $((n % 1000)) -eq 0 ]; then
    printf 'Waiting %d seconds for %s\n' $((n / 100)) ${PORT}
  fi
  sleep 0.01
  n=$((n+1))
done
.
printf 'Port %s found\n' ${PORT}
sleep 0.1
#sudo picocom /dev/${PORT} -b 9600 -d 8 -p n
#exit 0
.
sudo setserial /dev/${PORT} uart 16550A baud_base 9600 \
 spd_normal low_latency
sudo setserial -G /dev/${PORT}
.
printf 'Starting read from %s\n' ${PORT}
sudo cat /dev/${PORT} | od -x

It would help in hacking if we had sharp pictures of all the boards making up Phantom 3 Pro/Adv (both Aircraft and RC).

@notsolowki already prepared photos of camera top board - these are not perfect, but did helped me a lot:
#5 (comment)

The photos should be in good enough quality so that the markings on chips are readable; if they're not - it is best to follow whole board photo by a close-up on parts of the board, and find an angle at which the markings are well visible.

We need photos of both sides of each board.

Photos of the main controller board are easy to find in google; but I wasn't able to find good photos of the RC internals.

I have been logging some of the serial interfaces. The packet structure is similar to the packet structure of the NAZAM/P2 - DJI Assistant. The same 16 bit CRC is used but with a different seed. This code will calculate the CRC on all the interfaces I have sniffed so far:

import struct

def calc_checksum(packet):
crc =[0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
0x1081, 0x0108, 0x3393, 0x221a, 0x56a5, 0x472c, 0x75b7, 0x643e,
0x9cc9, 0x8d40, 0xbfdb, 0xae52, 0xdaed, 0xcb64, 0xf9ff, 0xe876,
0x2102, 0x308b, 0x0210, 0x1399, 0x6726, 0x76af, 0x4434, 0x55bd,
0xad4a, 0xbcc3, 0x8e58, 0x9fd1, 0xeb6e, 0xfae7, 0xc87c, 0xd9f5,
0x3183, 0x200a, 0x1291, 0x0318, 0x77a7, 0x662e, 0x54b5, 0x453c,
0xbdcb, 0xac42, 0x9ed9, 0x8f50, 0xfbef, 0xea66, 0xd8fd, 0xc974,
0x4204, 0x538d, 0x6116, 0x709f, 0x0420, 0x15a9, 0x2732, 0x36bb,
0xce4c, 0xdfc5, 0xed5e, 0xfcd7, 0x8868, 0x99e1, 0xab7a, 0xbaf3,
0x5285, 0x430c, 0x7197, 0x601e, 0x14a1, 0x0528, 0x37b3, 0x263a,
0xdecd, 0xcf44, 0xfddf, 0xec56, 0x98e9, 0x8960, 0xbbfb, 0xaa72,
0x6306, 0x728f, 0x4014, 0x519d, 0x2522, 0x34ab, 0x0630, 0x17b9,
0xef4e, 0xfec7, 0xcc5c, 0xddd5, 0xa96a, 0xb8e3, 0x8a78, 0x9bf1,
0x7387, 0x620e, 0x5095, 0x411c, 0x35a3, 0x242a, 0x16b1, 0x0738,
0xffcf, 0xee46, 0xdcdd, 0xcd54, 0xb9eb, 0xa862, 0x9af9, 0x8b70,
0x8408, 0x9581, 0xa71a, 0xb693, 0xc22c, 0xd3a5, 0xe13e, 0xf0b7,
0x0840, 0x19c9, 0x2b52, 0x3adb, 0x4e64, 0x5fed, 0x6d76, 0x7cff,
0x9489, 0x8500, 0xb79b, 0xa612, 0xd2ad, 0xc324, 0xf1bf, 0xe036,
0x18c1, 0x0948, 0x3bd3, 0x2a5a, 0x5ee5, 0x4f6c, 0x7df7, 0x6c7e,
0xa50a, 0xb483, 0x8618, 0x9791, 0xe32e, 0xf2a7, 0xc03c, 0xd1b5,
0x2942, 0x38cb, 0x0a50, 0x1bd9, 0x6f66, 0x7eef, 0x4c74, 0x5dfd,
0xb58b, 0xa402, 0x9699, 0x8710, 0xf3af, 0xe226, 0xd0bd, 0xc134,
0x39c3, 0x284a, 0x1ad1, 0x0b58, 0x7fe7, 0x6e6e, 0x5cf5, 0x4d7c,
0xc60c, 0xd785, 0xe51e, 0xf497, 0x8028, 0x91a1, 0xa33a, 0xb2b3,
0x4a44, 0x5bcd, 0x6956, 0x78df, 0x0c60, 0x1de9, 0x2f72, 0x3efb,
0xd68d, 0xc704, 0xf59f, 0xe416, 0x90a9, 0x8120, 0xb3bb, 0xa232,
0x5ac5, 0x4b4c, 0x79d7, 0x685e, 0x1ce1, 0x0d68, 0x3ff3, 0x2e7a,
0xe70e, 0xf687, 0xc41c, 0xd595, 0xa12a, 0xb0a3, 0x8238, 0x93b1,
0x6b46, 0x7acf, 0x4854, 0x59dd, 0x2d62, 0x3ceb, 0x0e70, 0x1ff9,
0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78]

# v = 0x1012 #Naza M
# v =0x1013 #Phantom 2
# v =0x7000 #Naza M V2
v = 0x3692 #P3

for i in range(0, len(packet)-2):
vv = v >> 8
v = vv ^ crc[((packet[i] ^ v) & 0xFF)]
return v

packet = bytearray.fromhex(u'55 12 00 a6 a0 00 40 00 00 00 00 00 00 00 00 00 d3 df')
print ' '.join(format(x, '02X') for x in packet)
crc = calc_checksum(packet)
print "%02X %02X" % (crc & 0xFF, crc >> 8)

Edit: fixed missing packet

I tried to set g_config.flying_limit.max_height_0 and g_config.advanced_function.height_limit_enabled_0 "modify" variables to the "false" from a "true" but this is not possible.
Settings g_config.flying_limit.max_height_0 min/max/def to 5000 is not removing a limit. I am thinking (maybe i am wrong) the app is overriding these settings so i would like to prevent overriding that block by app by changing a 'modify' variable.

Discussion about P3P and P3A.

Any ideas?

After having some issues with current firmware, I decided to downgrade my p4p frimware, since assistant removed the downgrade option, I decided to try and manually downgrade the firmware, and by an accident, I flashed my phantom 4 pro with a phantom 4 firmware. and now here are my drone symptoms

1. It cannot connect to rc. ( also linking doesnt work.. timedout
   2.The AC turns on and the gimbal moves up then stops looking at bottom.
   3.The AC LED camera indicator is flashing red/green/yellow
   4.Tried to flash again with p4p firmware... DID NOT WORK!
2. Tried to restore to factory settings, update via assistant.... DID NOT WORK
3. Tried to connect via cable directly to phone, It does not recognize it on DJI go, and says disconnected.
   7.Tried to put firmware(.bin) file in root directory of sd card. Nothing happened

HELP!

and in case of changing the board, which board is needed to be changed? and another Question, is the camera module broken two? do I need to change the board only? thanks

Hello. I have P3P. After an unsuccessful landing, he stopped sending video to the phone. Telemetry and gimbal work. As I understand it there was a damage to Nand Flash on a gimbal motherboard. (As happens in many). Is it possible to restore working capacity without changing the entire board? Changing the chip itself for example?
Thanks!

i got a phantom 3 pro. from what i understand they don't use a wificard according to hostapd.conf it is a nl8011 chipset card. i would like to enable a shell from the usb port. do you know a quick way or can you point me in the right direction. i suspect ill have a limited number of times i can flash the firmware. right now im on 1.5+ and im not sure if they will let you reflash the same firmware twice so id like to get it right befor i end up at 1.10 and cant upgrade it again. i dont know that to be true im just guessing. Looking at inittab it looks like they have #ttyusb0 to disable its function? i understand the risks of bricking something. do you think i could edit some of the settings it and repack it then load it into the drone at boot it. i jsut want to get shell from the usb port. thanks again

heres wha ti get when attempting to repack the rfs

laptop@laptop-VPCEH14FM:~/Desktop/phantom-firmware-tools-master$ python3 ./amba_romfs.py -vv -a -p p7_mi12_part_romfs.a9s
p7_mi12_part_romfs.a9s: Opening for creation
Traceback (most recent call last):
  File "./amba_romfs.py", line 344, in 
    main(sys.argv[1:])
  File "./amba_romfs.py", line 335, in main
    romfs_create(po,fwpartfile)
  File "./amba_romfs.py", line 255, in romfs_create
    fshead, fsentries = romfs_read_filesystem_head(po)
  File "./amba_romfs.py", line 95, in romfs_read_filesystem_head
    with open(fname, "r") as lines:
FileNotFoundError: [Errno 2] No such file or directory: 'p7_mi12_part_romfs/_header.a9t'
laptop@laptop-VPCEH14FM:~/Desktop/phantom-firmware-tools-master$ 

I have upgraded my phantom 3 pro and had issues with altitute limits. I decided to downgrade the firmware for the previous one. After this my P3P stopped to work and I tried to upgrade again without success. the log file shows the module 19 can not be upgraded, so I read in many differents foruns that I need the service.bin file to fix this problem. Can some one help me on this issue ?

If you read my Naza M/P2V+ write up then you know that the 32 character license string can be calculated like this:

YYYY000000000000f4XXXXXXXXXX50

Where:

Y – May be be '1' or '0', setting it to '1' enables the feature. Only the 4 left hand bits can be set in a valid license file

XXXXXXXXXX – The 10 digit serial number of the FC, for example, 1000000123

On the Linux console a valid “serial number” with no feature flags can be generated for my example FC:

$ printf 0000000000000000f4100000012350 | md5sum

Turns out the same code is in the P3 FC, the only difference being that f450 -> m4a3

This, then, should calculate a license string for a serial number of 03Z0397973

$ printf 0000000000000000m403Z0397973a3 | md5sum

I haven't actually seen such a string in the GUI but I only have access to a P3S. Can someone with one of the more advanced models tell me is there anything that looks like a string of 32 random characters?

It seams phantom 3 standard uses sony imx377eqh5 sensor.
I am not sure but specification looks similar
http://www.sony-semicon.co.jp/products_en/IS/sensor2/img/products/IMX377EQH5_ProductSummary_v1.5_20150414.pdf

Hello all. On DJI Phantom4 FTP server is open and everyone can connect and view files.

Action:

1. Connect drone to Linux OS
2. Drone server connect your computer locally
3. Open terminal and type command "ifconfig" and look for what is IP for new wired connection

In my case wired connection IP is 192.168.42.2

4. Open your favorite browser and type "ftp://192.168.42.2"

Nmap Scanning result:

there are 4 ports opened. 21, 8906, 8907 and 8908
21 ftp
8906, 8907 and 8908 maybe for radio and video signal. I am not sure.

okay so the big question, now that we have a known non-encrypted flight controller "1.7". what are the options as far as changing some angles of the aircraft. like more speed. thanks

What is it going to take to achieve such a thing. im not sure that the mobile SDK will be able to accomplish this task. I'm sitting here looking at a binary with ida and have no clue what to do.

How can we modify the parameters on the mavic drone. It seems like theres alot of info with missing parts all scattered everywhere?

I have been reversing the MVOM0fw.bin file that has been doing the rounds as FW downgrader. It looks to be very similar to the mi15 binary file your tool extracts (matching strings)

I am 99.9% sure that the target chip is a Nuvoton M051 (cortex M0+). It lives on the OFDM board, I am waiting for a sample of that HW to arrive but in the meantime can anyone confirm?

MVOM0fw.bin seems to work its downgrade magic by erasing a 64 byte area of the MCUs flash, I haven't reversed it 100% yet tho

RC Firmware must be changeable too.

Some limitations was added with RC Firmwares 1.6 and newer.
Output Power is reduced from 25mW to 10mW in CE Mode.

And
It should be possible to change CE to FCC Mode
(RC Checks via GPS location and Sets than FCC or CE Mode, USA = FCC, Europe = CE

have you or anyone found descriptions for the "flyc_param" parameters?

In case someone didn't noticed, I started another project focused on hardware schematics:
https://github.com/mefistotelis/dji-hardware-schematics

Example PCB schematic:

Example 3D view:

Hi
There are some persons who tried to hack DJI drones.
Here i want to point to them for helping us to reverse or hack DJI drones

Can anyone find a solution to unbricking this chip.

The flight controller contains a list of parameters, probably used in some kind of external API.

This issue is to discuss that API, and maybe to figure out how to use it.

Each of the parameters has a string name, and address of a variable where it is stored. It also has additional properties, not all known.

Have you considered the possibility of attempting to remove DJI go no fly zone? I have a situation where I have legal permission to fly by control tower but DJI Go will not let me unless I upgrade to the newest firmware then register with them... Which I am not trying to do. I stopped upgrading at 1.6.

does anyone know how to enter developer mode for dji assistant 2 ?
it seem we can set all the parameters / downgrade firmware without limitation and not necessary to flash a patched firmware

here is some screenshot
https://github.com/droner69/MavicPro/blob/master/DJI_Assistant_2_Dev_Pictures/009_Flight%20Restrictions.PNG

https://github.com/droner69/MavicPro/blob/master/DJI_Assistant_2_Dev_Pictures/005_Developer%20Tools.PNG

https://github.com/droner69/MavicPro/blob/master/DJI_Assistant_2_Dev_Pictures/006_FW%20Update%20List.PNG

so digdat0 says the aircraft shows the version he tried to drowngrade to. he says now he has version mismatch and compass error. i figured id start this new issue in case he comes back. heres a link to the thread where he posts screen shots but im sure you probably already know about the thread if not here you go http://www.phantompilots.com/threads/people-that-want-to-downgrade-their-fw-on-their-phantom-3s.99609/#post-1029840

anything you can think of. im staring at a fresh extraction of 1.6 looking for options

Hello

Now im sure DJI does something with our Phantoms if they where sent in for Repair.

Every Craft comes at least with 1.10 back from Repair.

After that only One Version back (down to 1.9) is possible without problems.

If u go lower than 1.9 many different Problems appear.

Compass Problems are the main Problem.

After Downgrade to 1.8 all Compass values are at 0.

How can we Check whats the Problem.
How to solve this Problem?

Just some background.... When some Drones were updated from 1.6.8 to 1.7.9 they got "sensor errors"... (IMU & compass)
DJI released 1.7.94 to fix them...
So....I have just found a Solution??? For the "sensor error" When it is invoked by the downgrade implementation.
It was simple??
But it has to be done in this order...
Assuming you're still at 1.8.1..
If you are 1.8.1 + debug it first...
Downgrade to 1.7.9.. Get the error... Restart... Still Sensor error...
Rerun F/w 1.7.9 with debug... Still Sensor error...Cal the Imu (yep)... still get the error... :(
Then...
Update with 1.7.94 No more error?? :)
Recal Imu ;)
This is the setups I just took to fix it for a member of my group... So I am not Sure if the first IMU cal was anything more... then a waste of time... So,
Revised P3s Debug downgrade How to...
If you have v1.08.10 with a +
Then start here...
v1.08.10 -> v1.08.10 + Debug
v1.08.10 -> v1.07.9
v1.07.9 -> v1.07.9 + Debug
v1.07.9 -> v1.7.94 Only If you get "Sensor Error", if not skip this step..
( I am waiting for clear info on the next step from here for further downgrade.. )
v1.05.7 -> v1.05.7 + Debug
v1.05.7 -> V1.5.75 Only if you get "Sensor Error", if not skip this step...
( I am waiting for clear info on the next step from here for further downgrade.)
and So on..
Here is a list..
v1.0.14
v1.0.17
v1.0.2
v1.01.3
v1.02.4
v1.03.5
v1.04.6
v1.05.7
v1.5.75
v1.06.8
v1.07.8
v1.07.9
v1.7.94
v1.08.10
There are newer and older Firmware Versions that are not listed... Anyone Know them? Links are hard to find..
That all said,
If you get the Sensor error on 1.7.9...
then 1.7.94 will fix it...
But further downgrades it returns?
and 1.5.75 does not fix it??
Should I advise 1.7.94 + debug?? 1.5.75 + debug???
How can We get past this 1.7.94 (1.7.9+) issue?
And downgrade further without error??

Hello

I have an non working HDMI module from an early Inspire1 Remote
Which was long not used and so NAND run full of bad blocks. Was my First thought.

Board is labeled "WM610_GRCP_MFI368_V1"
Interface Board is "WM610_GRCP_INTERFACE_V3"

I Hooked it Up to serial Adapter

And got this

DM36x initialization passed!
UBL Product Vesion : DJI-GRC-SUPER-UBL-1.0-rc0(2014-09-19)
Dji UBL Version: 1.51(Sep 19 2014 - 16:13:09)
Booting Catalog Boot Loader
BootMode = NAND
Starting NAND Copy...
Valid magicnum, 0xA1ACED66, found in block 0x00000019.
Valid magicnum, 0xA1ACED66, found in block 0x0000001D.
No valid boot image found!
NAND Boot failed.
Aborting...

Now my question

Can we extract Firmware for this Board?
Maybe something like uboot image like at Lightbridge hack

Bootloader looks intact

https://s3-ap-northeast-1.amazonaws.com/dji-firmware-test/P3C/P3C_FW_V01.09.0080.bin

strange and huge firmware ( consists two module for camera FC3XX )

Creating separate issue for FCC set by Dji Go to avoid mixing subjects.

@MrBurnsAT commented on Jul 3

Mefistotelis Maybe from go4 App if u Switch to FCC?

@mefistotelis commented on Jul 4

No idea what you mean. Can you use Dji Go 4 with Ph3?

@MrBurnsAT commented on Jul 4

Yes Go4 App Cam Work with p3.
Little bit tricky but works. But i dont know exactly how i did it. Must try more

GO4 App with P3

@mingtaoxin commented on Jul 4

how you can do it ? can you make some explanation ?

@KyokushinPL commented on Jul 4

i connected only to radio by this app:
https://forums.hak5.org/index.php?/topic/41354-remove-ce-limits-from-dji->products/&do=findComment&comment=293797
and i was able to set it to US.

but when i am trying to turn on the bird, then application is saying me i should use old dji go and i cant do anything.
Maybe someone would be able to meter power after changing radio to US.

I am also curious how long this change will affect - to next turn on, how it will be in litchi after turning off dji go 4.

@MrBurnsAT what version do you use?

Update:
OK folks, it can be done by the same method as in first link. I decompiled DJI go app for p3, there are same functions for country code. Its working same way, but i am too weak in java to put it together.

@WindyYam commented on Jul 5

ok, now i know where everything goes. I first post the DJI Go trick on Chinese dji forum on about 6.28 then i dont know who carry to here. It's done by tap flyc serial number view several times

on disconnect the dji go app check TelephoneManager.getNetworkCountryIso() on android for mcc to set the RF power, a easy way is to set gsm.operator.iso-country properties to "us" when mobile network is disabled

but i dont know if it's buggy that mavic boost the rc power not the videofeed, when other drones boost both

@MrBurnsAT commented on Jul 5

Which Version of go App do u use?

Go4 ?
Need GoApp for Phantom 3

@WindyYam commented on Jul 5

The trick exists before GO 4.0.7 , dont know if its there for Go 3

for Phantom user maybe the only way is to set gsm.operator.iso-country to us in root mode, and disable the phone network before start dji go, i have an app for this purpose but need Android root , dont know if you can download this

https://pan.baidu.com/s/1jHPQdO6

@MrBurnsAT commented on Jul 5

Thx could Download it.

Ok. Than i must Root my Nvidia Shield

@MrBurnsAT commented on Jul 5

Saw something like this in the dji Mobile sdk

Creating separate issue for P3C FCC to avoid mixing subjects.

@ferraript commented on Jan 18

regarding FCC vs CE mode, I believe this video instruction should help

@ferraript commented on Jan 24

I just found out in DJI GO 2.4.3 sources interesting class regarding FCC and CE mode: DataRcSetPowerMode.java
it's used in one another class only, \dji\a\d\a.java
here is interesting method, onEventBackgroundThread, that checks, if ProductType is P3S or P34K and if HomePoint coordinates are set
if so, there is link to the most interesting class, \dji\a\f\a.java, where is an array of GPS coordinates and radiuses of CE areas (there is Australia, Japan, India, South Africa and Europe)
if HomePoint is inside any CE area, mode is set to CE, otherwise mode is set to FCC

so it would be interesting to know, that if we add P3X and P3A to that first condition and change the CE areas coordinates, if really Phantom uses FCC mode then

@rulppa commented on Feb 1

`RC Firmware must be changeable too.

Some limitations was added with RC Firmwares 1.6 and newer.
Output Power is reduced from 25mW to 10mW in CE Mode.` ->

I have few modded remotes, one with 1.5.8 and other one with latest FW, i will measure the output with immersion rc RF-meter to confirm both remotes connected to 1.7.6 AC.

@MrBurnsAT commented on Feb 1

U can downgrade Ur RC to 1.5.8, 1.5.7 or 1.4.3 ;-)

So u should have full 25mW power

I downgraded Mine to 1.4.3 because um using Old Litchi Version 2.3.1

With newer Firmwares than 1.4.3 this Old Litchi Versions wont work

@ferraript commented on Feb 1

@rulppa: that would be great
it will finally reveal if those talks were true
by the way, where are you from? I'm thinking about you could test if my DJI GO hack for FCC/CE works

@rulppa commented on Feb 1

@ferraript: i will measure tomorrow, got new ESC-board for new motor p3p today, swapping now and it's getting late. I'm from europe. I guess you are from italy? Forza ferrari, go kimi go lol. Did you notice any difference with your hack? If i test it, i will test it with stock gl300b, other remotes are modded and stock one is more sensitive for these kind of tests.

@ferraript commented on Feb 1

@rulppa, I'm just Ferrari fan from Slovakia
so you are in CE area too, fine
I can send you my DJI GO apk then for testing

@rulppa commented on Feb 1

@ferraript: Can't test .apk, i have only iOS devices, sorry.

@MrBurnsAT commented on Feb 1

@ferraript I can Test it!

Austria ;-)

And i only have Andoids

@ferraript commented on Feb 2

@rulppa: that's pity :(

@MrBurnsAT: greetings to Austria :)
yeah, you can test it, but do you also have some sort of RF meter just like rulppa does?
because I don't believe that the CE/FCC setting is easily distinguishable
for example, I never had problems with my P3A to go to distance 5 km (in CE mode)

@notsolowki commented on Feb 2

what changes did you make to the app ferraript

@ferraript commented on Feb 2

@notsolowki: I made changes I wrote few posts ago (on Jan 24)
as I am from Europe and I have P3A, I changed european radius to few meters and I replaced P3S for P3A in the condition
if you look into the code, I believe you'll understand

@rulppa commented on Feb 2

Measured GL300A and B model radios, without GPS-lock, both 0.72-0.76mW. I will measure again during weekend, with GPS lock. Tested with RC 1.5.8 only, 1.7.6 doesnt seem to work with 1.6 radio.

@notsolowki commented on Feb 3

ferraript i bet you can test the output power at the antennas connector on the circuitbaord

@ferraript commented on Feb 3

sorry, I don't intend to dismantle RC
and after all, I have no tools for measuring something like that

@rulppa commented on Feb 3

I'm testing directly from the RC circuit board with SMA-connectors, i will do the test with GPS lock today. IF it's full power with 1.5.8 (also in CE mode) i should see the same 0.72-0.76mW. (according to OP it should be)

@notsolowki commented on Feb 3

hey ferraript, could you make it so that dji go 3 could send the settings to the drone?

@ferraript commented on Feb 3

@notsolowki I thought you were using 2.4.2 :)
I looked into 3.0.1 sources and it looks like it works the same way like in 2.4.3 (which I use)
so, do you want some specific version or you'll be fine with 3.0.1?

@notsolowki commented on Feb 4

3.0.1 or 3.1.1 would be fine

@KennethMcNutt commented on Feb 5

This is how they modded The p3S...Ce ,Fcc, up 27db was though it's wifi Ftp, telnet (console) ..

Read this from bottom to top..
01:10 Log Filename: log201701201904.txt
01:10 
01:10 ============================================
01:10 Restart your RC & Aircraft and Enjoy New Mod
01:10 ============================================
01:10 
01:10 Credit to: Ojcze Nasz, SingLag, Argonaise & www.phantompilots.com
Disconnected.
Disconnecting.
01:10 c
01:10
BusyBox v1.22.1 (2015-11-16 16:28:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # 
01:10 chmod 775 /sbin/watchlog.sh
Connected.
Connecting to 192.168.1.2.
Disconnected.
Disconnecting.
01:09 wlan0 ESSID: "KenP3S"
Access Point: 60:60:1F:05:E0:BD
Mode: Master Channel: 10 (2.457 GHz)
Tx-Power: 24 dBm Link Quality: 70/70
Signal: -27 dBm Noise: -89 dBm
Bit Rate: 55.2 MBit/s
Encryption: WPA2 PSK (CCMP)
Type: nl80211 HW Mode(s): 802.11abgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy0
wlan0.sta1 ESSID: unknown
Access Point: 00:00:00:00:00:00
Mode: Master (VLAN) Channel: 10 (2.457 GHz)
Tx-Power: 24 dBm Link Quality: 70/70
Signal: -10 dBm Noise: -89 dBm
Bit Rate: 52.0 MBit/s
Encryption: none
Type: nl80211 HW Mode(s): 802.11abgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy0
/ # 
01:09 iwinfo
01:09
BusyBox v1.22.1 (2015-11-16 16:28:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # iw reg set BO
/ # iw dev wlan0 set txpower limit 2400
/ # 
01:09 iwinfo
01:09 iw dev wlan0 set txpower limit 2400
01:09 iw reg set BO
Connected.
Connecting to 192.168.1.1.
Disconnected.
Disconnecting.
01:09 ==================
01:08 File upload OKE
01:08 Checking file ... 
01:07 Update djiled.sh on Aircraft
01:06 Final process ...
01:06 hmod 775 /sbin/watchlog.sh
/ # 
01:06 File upload OKE
01:06 Checking file ... 
01:06 c
01:06
BusyBox v1.22.1 (2015-11-16 16:28:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # 
01:06 chmod 775 /sbin/watchlog.sh
Connected.
Connecting to 192.168.1.2.
Disconnected.
Disconnecting.
01:06 Update djiled.sh on RC
01:05 / # 
01:05 Final process ...
01:05 hmod 775 /sbin/watchlog.sh
01:05 c
01:05 chmod 775 /sbin/watchlog.sh
01:04 Supports VAPs: yes PHY name: phy0
/ # 
01:04 wlan0 ESSID: "KenP3S"
Access Point: 60:60:1F:05:E0:BD
Mode: Master Channel: 10 (2.457 GHz)
Tx-Power: 17 dBm Link Quality: 70/70
Signal: -27 dBm Noise: -89 dBm
Bit Rate: 54.9 MBit/s
Encryption: WPA2 PSK (CCMP)
Type: nl80211 HW Mode(s): 802.11abgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy0
wlan0.sta1 ESSID: unknown
Access Point: 00:00:00:00:00:00
Mode: Master (VLAN) Channel: 10 (2.457 GHz)
Tx-Power: 17 dBm Link Quality: 70/70
Signal: -11 dBm Noise: -89 dBm
Bit Rate: 52.0 MBit/s
Encryption: none
Type: nl80211 HW Mode(s): 802.11abgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
01:04 winfo
01:04 i
01:04 iwinfo
01:03 BusyBox v1.22.1 (2015-11-16 16:28:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # 
01:03 ==================
01:03 Telnet ready ...
Connected.
Connecting to 192.168.1.1.
01:03 Aircraft Ready ...
01:03 RC Ready ...
Disconnected.
Disconnecting.
01:40 
01:40 Please proceed to STEP 2
01:40 
01:39 File upload OKE
01:39 Checking file ... 
01:39 Upload watchlog.sh to aircraft
01:38 File upload OKE
01:38 Checking file ... 
01:38 Upload watchlog.sh to RC
01:37 File upload OKE
01:37 Checking file ... 
01:37 Configure Telnet to Aircraft
01:36 File upload OKE
01:36 Checking file ... 
01:36 Configure Telnet to RC
01:35 Aircraft Ready ...
01:35 RC Ready ...

hi , what about unpacking DJI X5R raw - camera - Xilinx proc Zynq 7020

https://dl.djicdn.com/downloads/osmo/OSMO_FC550R_FW_V01.03.00.40.zip
if you unpack this binary , you can find module C1 - c1_(1.15.7.17) . this file have few partition for Zynq